Sponsored by Hudson Rock Use Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are leading to ransomware attacks

YARA Rule: Hive_ESXI_v3.yar

Group: Hive
Valid Rule

rule Hive_ESXI_v3
{
	meta:
		author = "rivitna"
		family = "ransomware.hive.esxi"
		description = "Hive v3 ransomware ESXI payload"
		severity = 10
		score = 100

	strings:
		$h0 = { 48 69 ?? B5 B4 1B 01 48 C1 E? 20 69 ?? 00 70 0E 00 29 ?? }
		$h1 = { 48 69 ?? 25 30 40 00 48 C1 E? 20 69 ?? 00 F4 0F 00 29 ?? }
		$a0 = "\\.(vm|vs)\\w+$\x00" ascii
		$a1 = "vim-cmd vmsvc/getallvms | grep -o -E '^[0-9]+' | xargs -r -n 1 vim-cmd vmsvc/power.off" ascii
		$b0 = "\x00%s.key.%s\x00" ascii
		$b1 = "\x00! export %s" ascii
		$b2 = "\x00+ export %s" ascii
		$b3 = "HOW_TO_DECRYPT.txt\x00" ascii
		$b4 = "\x00+notify /etc/motd\x00" ascii
		$b5 = "\x00+notify %s" ascii
		$b6 = "\x00+ prenotify %s" ascii
		$b7 = "\x00Stopping VMs\x00" ascii

	condition:
		( uint32( 0 ) == 0x464C457F ) and ( ( 2 of ( $h* ) ) or ( ( 1 of ( $a* ) ) and ( 2 of ( $b* ) ) ) )
}